A solution for supporting MFA in Shibboleth IdPs in

accordance with REFEDS MFA Profile

MICHELLE WANGHAM

Coordinator of the Identity Management Technical Committee, RNP (Brazilian NREN)

[ 2 ]

• Motivation and Objectives

• Current Implemented 2FA technologies

• Solution Architecture

✓ Authentication flows

✓ Second factor Lifecycle management

• Work in progress

• Concluding Remarks

TABLE OF CONTENTS

[ 3 ]

MOTIVATION

[ 4 ]

MOTIVATION

✓ easy-to-guess passwords

✓ same password in multiple accounts

✓ write the passwords

✓ shoulder surfing

✓ phishing

✓ social engineering

✓ brute force attacks

✓ and purchase of leaked passwords

[ 5 ]

• Password-based credentials are the most used in Academic Federations

• Federated SSO facilitates the job of the attackers

• Multi-factor authentication (MFA) emerges as a solution

✓ Authentication process robustness

✓ The most cost-effective mechanisms

• REFEDS: MFA Profile

✓ Requirements that an authentication event must meet in order to

communicate the usage of MFA.

✓ A SAML authentication context for expressing this in SAML.

MOTIVATION

[ 6 ]

OBJECTIVES

A complete open source solution to offer MFA – based on the REFEDS

MFA profile – for Shibboleth Identity Providers

✓ Open Innovation Research and Development project funded by RNP

✓ First year: developed a prototype and evaluated it in a testbed (GIdLab)

✓ Second year: working on the pilot together with four institutions

✓ 2020: CAFe IdPs

[ 7 ]

Our Solution Features

Usability

Loose coupling

• Easy to install and update our code on current Shibboleth IdP

Modular

• Easy to activate/deactivate second-factor technologies

• Easy to add new second-factor technologies

• Persistent layer allows different database implementations

Interoperability

security

usability

[ 8 ]

• One-Time Password (OTP): used with a

TOTP mobile app (Google Authenticator,

Authy, etc.)

• Phone prompt: app (Android) with a

simple yes/no dialog

• FIDO2 (WebAuthn): usb token

• Backup codes: last resource before

contacting IT support.

Current

Implemented 2FA

technologies

[ 9 ]

• One-Time Password (OTP)

Current

Implemented 2FA

technologies

✓ Users must have a smartphone; but it does not require Internet connection

✓ A lot of users already use OTP applications on their smartphones

[ 10 ]

• Phone prompt: app (Android)

with a simple yes/no dialog

Current

Implemented 2FA

technologies

✓ It is more user friendly compared to the OTP solution

✓ Users must have a smartphone or smartwatch with Internet connection

[ 11 ]

• FIDO2 (WebAuthn): usb token

✓ It offers the best usability and the most secure among the previous options.

[ 12 ]

• Multi-Factor Provider (MFaP) is a Java

application that can be deployed by the

same Java application server where

Shibboleth IdP has been deployed

✓ It could be in a different java application

server

• The interaction between IdP and MFaP is

done by using an IdP Authentication Flow

✓ MFaP offers a RESTful API that can be

consumed only by its IdP

SOLUTION ARCHITECTURE

[ 13 ]

• MFaP install script: automates the installation task ( a set of questions)

• Customized script for CAFe IdM Virtual Machine

✓ Ubuntu + Shibboleth IdP 3.3.1 + breduperson

✓ User Manual to install (Portuguese)

• Documentation to develop new 2FA technologies and integrated them to

the MFaP (Portuguese)

• MFaP upgrade: using a specific script written to the update

MFaP Installation and Upgrade

[ 14 ]

Authentication flow using Phone prompt

[ 15 ]

UML Component Diagram

[ 16 ]

• Binding: the user can enable one or more technologies to act as his/her extra

factor

• Replacing: the user can change the current second factor at any time

• Revocation: the user can delete the current second factor at any time

Lifecycle management of second factor (Self-service)

Backup codes are automatically generated when the user enables the

second factor authentication (10 codes can be used only once)

[ 17 ]

Dashboard (Portuguese)

[ 18 ]

• Pilot Evaluation

• Dashboard improvements: allows user to register more than one USB token

FIDO2

• Browser cookies to keep MFA session

• Phone Prompt for iOS

• MFaP Install script

• Internationalization

WORK IN PROGRESS

[ 19 ]

• Open source MFA solution based on the REFEDS MFA profile for Shibboleth

Identity Provider.

• Chosen 2FA technologies balance between usability and robustness

• Works on different scenarios: a smartphone and internet, smartphone without

internet connection and without a smartphone

• Our Solution can be extended with new technologies to act as extra

authentication factor.

CONCLUDING REMARKS

[ 20 ]

• Coordinators

✓ Emerson Mello (IFSC): Principal Investigator

✓ Carlos Eduardo da Silva (UFRN)

✓ Michelle Wangham (UNIVALI)

• Developers

✓ Bruno Bristot Loli

✓ Felipe Passos Cardoso

✓ Gabriela Cavalcanti da Silva

✓ Samuel Bristot Loli

✓ Shirlei Aparecida de Chaves

GT-Ampto Team

• R&D Director

✓ Iara Machado

• R&D Manager

✓ André Marins

• R&D Coordinator

✓ Clayton Reis

MICHELLE WANGHAM - wangham@univali.br

Thank you! Questions?